Thanks for the pointer on metrics.log. When I compare the file between the two envs, I find references to the light-forwarder on the env where filtering is not working:
01-12-2011 01:29:21.021 INFO Metrics - group=pipeline, name=parsing, processor=send-out-light-forwarder, cpu_seconds=0.000000, executes=36, cumulative_hits=221543
01-12-2011 01:29:21.021 INFO Metrics - group=pipeline, name=parsing, processor=tcp-output-light-forwarder, cpu_seconds=0.000000, executes=36, cumulative_hits=221543
Since I know LWF does not support filtering, this could be the issue. However, I start splunk on both env the same way:
./splunk start --accept-license
./splunk enable app SplunkForwarder -auth admin:changeme
./splunk add forward-server 10.10.41.109:9997 -auth admin:changeme
./splunk disable webserver -auth admin:changeme
./splunk enable boot-start
./splunk restart
The enable command certainly does not activate the LWF. So where are processor=send-out-light-forwarder and tcp-output-light-forwarder specified?
Thanks.
... View more